Biometric fingerprint technology is no longer a novelty. In fact, today’s banks and card issuers are looking to integrate fingerprint biometric technology into every day payment cards to provide customers with convenient and secure payments. According to research carried out by IDEX Biometrics, 66% of consumers anticipate biometric fingerprint payment cards will be introduced this year. To bring biometric fingerprint technology to the mass market, and meet consumer expectations, the banking industry must remain at the forefront of innovation and embrace this new technology.
Whilst there is no denying the fingerprint biometric smart card is reaching its inflection point, one barrier to mass market adoption is the cost of the sensors needed to take each person’s biometric fingerprint data. To combat this, many producers of these sensors have looked to limit costs by reducing the size of the sensors used. Whilst this may provide a cheaper solution for those using expensive materials such as silicon as a base, there is no denying that ‘bigger is better’ when it comes to biometric fingerprint sensors.
By using a larger sensor, the card is able to capture a much greater surface area and therefore a larger proportion of biometric data from a person’s fingerprint. Consequently, accuracy is inherently is improved, as the biometric template captured has more data to inform fingerprint authentication. In essence – the smaller the sensor, the more touches required by a user to obtain the same amount of information that would be gained from just a couple of touches of a larger sensor.
Size = usability and accuracy over security
Not only does the size of sensor effect the usability of it, but also the reliability. If the sensor has only captured a small part of the overall fingerprint, trying to match this in everyday use will be extremely difficult. People are unlikely to place their finger on a sensor in exactly the same position every single time, so it is important that the sensor is large enough to capture the fingerprint at a variety of ergonomically friendly angles, including the tips of the user’s thumb. This pinching action, known as ‘tip touching’ is very natural when handling a payment card and must therefore be accounted for.
The biometric data obtained from our fingerprints is also extremely volatile and anything from varying pressure when touching the sensor, to scarred tissue on the fingerprint, can affect the fingerprint authentication process. Inconsistencies in our fingerprints, such as these, can cause ‘false negative’ responses. This is when a valid biometric sample is provided, but the system falsely rejects it.
A high number of false rejects simply will not suffice when it comes to day-to-day consumer card usage. Failed matches when trying to authenticate a payment in store would not just prove inconvenient for consumers but could also cause significant delays for the retailer taking the payment. In an age where consumers have become accustomed to seamless payment processes – multiple failed attempts to match a fingerprint are not an option and could hinder the mass adoption of biometric fingerprint payment cards.
It’s a match!
In order for a first-time match to be possible, a high-quality biometric fingerprint template must be created in the initial enrolment process – and to achieve this a larger sensor is critical. Larger sensors require less touches to enrol the fingerprint – the smaller the sensor the more times an enrolee needs to touch the sensor in order to capture an image of the whole surface of the finger.
Some manufacturers are getting around this problem by partially enrolling the fingerprint, by adding a fragment of the fingerprint and then adding to data to the template, once the card is in use. According to a new study from New York University Tandon School of Engineering, ‘partial’ fingerprints are less likely to be unique than full prints, making smaller fingerprint-based security systems less secure and more vulnerable than previously thought[1].
This method of enrolment, known as dynamic enrol, is leaving a huge security hole in the use of fingerprint biometrics and putting users at risk as a result. If a template can be changed, then over time the fingerprint biometric data originally enrolled onto the card can be gradually replaced. These ‘climbing attacks’ mean that potential fraudsters could use a card that has only been partially enrolled and add their own biometric fingerprint data to it – therefore gaining access to your bank account.
For the payments industry, where security is paramount, a smaller sensor could effectively be creating more security threats rather than combatting them. If consumers and financial institutions are to fully embrace the biometric fingerprint payment cards as a means of authenticating payments, then necessary measures to ensure optimal security must be taken.
Size really does matter…
Whilst the benefits of larger sensors are clear, there remains the perception sensors should be as small as possible. Many sensor manufacturers are taking their lead from mobile manufacturers who require the sensor to fit within the smartphone display. This space is particularly tight and means that smaller can be better in this situation. But, the use case in cards and mobiles are very different. Mobiles have higher processing power and a finger guide to autocentre the finger, so reducing the size of the sensor has very little impact. A payment card, on the other hand, has no power source, but it does have a large area of unused space to facilitate a much larger sensor.
Size will be a key differentiator for brands entering the payments arena and those who adopt a larger sensor will be pivotal to the rollout of biometric fingerprint technology to the mass market. By improving accuracy, usability and most importantly security, we can expect the size of the biometric fingerprint sensors to have a huge impact on its acceptance and usage within everyday payments.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.